Deliveroo customers have been the victim of a hack using stolen passwords from previous breaches. This is indicative of the “domino effect”, where cybercriminals are leveraging breaches from one organisation to gain access to the next and so on. IT security experts from SailPoint, ESET, Netskope, Ping Identity, AlienVault, Lieberman Software, NSFOCUS and Kaspersky Lab commented below.
Kevin Cunningham, Founder and President at SailPoint:
“This illustrates an interesting ‘chaining’ or ‘domino effect’ that data breaches can have across multiple organisations.
“Identity has become the new attack vector. And hackers are all over that fact – finding those orphaned accounts to grab and log into behind the scenes without an IT admin even knowing about it. Or, taking stolen credentials from one breach and using them to access another website. All because a user chose to reuse a password across multiple sites – a very common occurrence.
“Often, it comes down to password hygiene as the starting point to stronger and smarter access management. Use a unique password for every application. Make sure the password is long and more complex – ideally twelve characters should be thought of as a minimum.
“Protecting identity is key: to the safety of our own personal data, to the security of sensitive company data and files, and, to the safety of sensitive data in an organisation that may not even be linked to your own.”
Mark James, Security Specialist at ESET:
“This is an example of one of those instances where passwords have been reused on a site that is possibly considered of secondary importance. We are often cautious about sites that are considered financial or high risk but often don’t apply the same level of concern over the lower ones. This of course can lead to exactly the issue we see here, data taken elsewhere reused to see “if it works”.
Reusing passwords is bad regardless of the site’s perceived importance. A good unique password is even easier with a password manager of which many choices are available now both paid and free; a lot of them will enable you to score your existing passwords to check their strength and uniqueness.”
Andre Stewart, VP EMEA at Netskope:
“The news that hackers have caused Deliveroo customers to pay for takeaway food they did not order reveals the extent to which criminals hunt out opportunities to profit via vulnerable systems and data. No financial information was stolen but cyber criminals recognised an opportunity to make the most of stolen passwords to hack into Deliveroo customer accounts and order food deliveries.
“This hack highlights the fact that businesses and users alike must take steps to protect their information. The threat landscape is growing. Cyber criminals are on the lookout for sensitive data wherever it may be and attempt to target end users almost anywhere – on the company network, using a mobile phone on the train, working on a laptop in a coffee shop or accessing data in the cloud. Each new, successful hack can release a treasure trove of user details in the form of usernames, passwords and other information which can then be used to access other online services. When the same credentials are used across multiple accounts, these breaches can expose data in many different cloud apps and services at the same time, creating significant risks to the enterprise.
“Passwords stolen in a previous major data breach were also used for a number of customers’ Deliveroo accounts, making it easy for thieves to access these accounts and make orders – and subsequently forcing Deliveroo to refund money for those food orders once it was found that customer accounts were breached. Wherever possible, organisations must make end users aware of basic cyber hygiene, steering them towards safe courses of action. Businesses should also monitor credentials revealed in breaches and compare them to those used to access their services. If credentials are found to have been compromised in another breach, companies can prompt customers to change their details to ensure systems remain secure. Organisations should also monitor for unusual behaviour or usage patterns so that security teams can block intruders and protect sensitive data.”
Phil Allen, VP EMEA at Ping Identity:
“The latest high profile data-breaches experienced by Deliveroo and Three Mobile further highlights why the identity and security of customers needs to be taken much more seriously by organisations. Consumers are increasingly becoming targets for many sophisticated hackers through the brands they choose to do business with. The damage inflicted could be limited if high-profile brands invested more in methods such as two-factor and multi-factor authentication to safeguard data and dramatically improve the experience of their customers.
Best practice is now focused on improving the way customers can manage their identity with a consistent secure experience during their online activity. Additional layers of security don’t have to mean extra form-filling for the consumer if it’s seamlessly integrated into the buying process. Businesses may win out in the short-run, but if they want to maintain their reputation and customer loyalty long-term, investment in greater identity security for their customers is critical.”
Javvad Malik, Security Advocate at AlienVault:
“While this is a common tactic to reuse stolen passwords on other accounts, it appears as if Deliveroo didn’t have additional monitoring and fraud detection controls in place.
For example, detection controls should have picked up that a customer is making multiple orders from several different locations that are all outside of their usual home address and flagged it as suspicious.
These types of monitoring and fraud detection controls are not new. If you go abroad and make an unusually large purchase on your credit card, your bank will usually query the transaction with you. Having similar controls should be in place for online retailers.”
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“The Deliveroo incident isn’t so much a breach as a follow on to other breaches. The firm says the attack used passwords from previous breaches on other sites. In other words, the bad guys found the key to the front door of one of the user’s flats when they broke into a different one down the street. Because users still insist on using the same passwords across multiple sites, a breach on one that exposes passwords is like a breach on all. So much trouble could be saved by users using unique passwords – or using a solution to manage passwords that will do it for them.”
Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS:
“It’s interesting to note that many of these problems will simply go away when organisations and users invoke two-factor authentication. Even if a hacker had stolen user-credentials from another possible breach, those credentials are rendered useless when two-factor is enforced. The real question is why haven’t organisations like Deliveroo enforced it? Is it based on the cost of sending text messages as part of the two-factor process, or is it the fear of inconveniencing customers who must perform an additional step when logging in. These are the real questions users need to consider. If organisations do not support two-factor, is it safe doing business with them? Most likely the answer is a resounding “NO”.”
David Emm, Principal Security Researcher at Kaspersky Lab:
“The news that customers of Deliveroo have been billed for food that they didn’t order offers a further illustration for both consumers and businesses that online account security needs to be more carefully considered when balancing convenience and security.
As a society, we like convenience. Businesses, therefore, understandably want to make things as simple as possible, to maximise revenue and attract customers. The trouble is, the less steps a customer needs to take to place an order or log-in to an online account, the less secure the online service is.
In this particular case, it seems that it might have been a ‘stepping stone’ attack, where customer data stolen from another web site was used to access customers’ Deliveroo accounts. The key take-away for consumers is to use a unique password for each online account, so that a compromise of one account doesn’t cause a domino effect that compromises other accounts.
Businesses must ensure they implement two-factor authentication, so that credentials stolen from another site would not be sufficient for an attacker to get access to their customers’ accounts. It is also key for businesses to ensure they are transparent whenever they learn of a breach that affects their customers, even if financial data hasn’t been stolen and even if their own systems weren’t breached directly.”
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
